[Bro] Multiple Intel framework hits for same connection?
Seth Hall
seth at icir.org
Fri Sep 19 13:15:11 PDT 2014
On Sep 19, 2014, at 3:57 PM, Aaron Gee-Clough <lists at g-clef.net> wrote:
> I have a question about the intel framework: if a flow matches both an
> Intel::ADDR and Intel::CERT_HASH (for example), will the intel framework
> generate notice logs for both matches, or just one?
It should definitely match both. That's a problem if it's not.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list